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Abstract: In the aftermath of the 2003 Columbia accident, NASA removed the Hubble Space 
Telescope (HST) Servicing Mission 4 (SM4) from the Space Shuttle manifest. Reasons cited included 
concerns that the risk of flying the mission would be too high. The HST SM4 was subsequently 
reinstated and flown as Space Transportation System (STS)- 125 because of improvements in the 
ascent debris environment, the development of techniques for astronauts to perform on orbit repairs to 
damaged thermal protection, and the development of a strategy to provide a viable crew rescue 
capability. However, leading up to the launch of STS- 125, the viability of the HST crew rescue 
capability was a recurring topic. For STS-125, there was a limited amount of time available to 
perform a crew rescue due to limited consumables (power, oxygen, etc.) available on the Orbiter. The 
success of crew rescue depended upon several factors, including when a problem was identified; when 
and what actions, such as powering down, were begun to conserve consumables; and where the 
Launch on Need (LON) vehicle was in its ground processing cycle. Crew rescue success also needed 
to be weighed against preserving the Orbiter’ s ability to have a landing option in case there was a 
problem with the LON vehicle. This paper focuses on quantifying the HST mission loss of crew 
rescue capability using Shuttle historical data and various power down strategies. Results from this 
effort supported NASA’s decision to proceed with STS-125, which was successfully completed on 
May 24 th 2009. 
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1. INTRODUCTION 

Following the Columbia accident (STS-107), the decision was made to remove the HST SM4 from the 
Shuttle manifest for several reasons including the belief that the risk of flying the HST mission would 
be too high, because at the time, there was no stand-alone repair technique or crew rescue capability. 
Following retum-to-flight, NASA revisited the decision to reinstate the HST SM4 because of 
improvements in the ascent debris environment, the ability to perform stand-alone repairs with the 
Orbiter Boom Sensing System (OBSS), and the potential to provide a crew rescue capability. This 
paper focuses on quantifying the HST mission loss of crew rescue capability using Shuttle historical 
data and various power down strategies to conserve Orbiter consumables; thus, extending the mission 
lifetime of the Orbiter. The results from this effort supported NASA’s decision to proceed with the 
HST SM4 a.k.a. STS-125, which was successfully completed on May 24 th 2009. 

2. METHODOLOGY 

The HST SM4 crew rescue risk was calculated utilizing a Discrete Event Simulation (DES) built with 
Rockwell Software’s Arena Discrete Event Simulation Software [1]. A model already in use by 
NASA, the Space Shuttle Manifest Assessment Simulation Tool (MAST), served as the starting point 
for building the HST crew rescue risk simulation [2]. The Arena simulation model of the HST Service 
Mission LON scenario includes the timeframe from HST Service Mission launch through rescue and 
re-entry of the LON mission. The ground timeline for the LON vehicle, also referred to as STS-400, 
was provided by NASA Kennedy Space Center (KSC), and the flight timeline was provided by NASA 
Johnson Space Center (JSC) Mission Operation Directorate (MOD). These timelines will be discussed 
in further detail in Section 3.1. The underlying premise of this analysis is that past performance, 
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expert opinion, and the results from other analyses may be used in conjunction with discrete event 
simulation modeling to help predict future performance i.e., the probability of mission success. 
Historical data regarding the Mobile Launch Platform (MLP), Crawler Transporter (CT), Vehicle 
Assembly Building (VAB), pad, and launch was used to derive delay probabilities and delay 
distributions. Event probabilities for ascent risk, crew transfer risk, and re-entry risk were based upon 
historical data. The model has the option to exclude or include each risk. The results are based upon 
5,000 replications, and sensitivities to model assumptions were performed. 

To understand the crew rescue timeline, some background information on Shuttle risk is necessary. 
Following the Columbia accident, which was the result of ascent debris impacting the Orbiter and 
damaging its Thermal Protection System (TPS), the Shuttle Program initiated on-orbit inspections on 
Flight Day (FD)2 to inspect for critical ascent damage before re-entering the atmosphere and 
challenging the TPS. A later inspection was also added towards the end of the mission to inspect for 
Micrometeoroid and Orbital Debris (MMOD) critical damage. Critical damage is defined as damage 
to the TPS that will result in Loss of Crew and Vehicle (LOCV) during re-entry if action is not taken. 
The timing of the latter inspection varies mission to mission; and for the HST mission, it was 
scheduled for FD9. These two Shuttle risks (ascent debris and MMOD) constitute a significant 
portion of the Shuttle risk (-50%). To mitigate the risk of detected critical damage, the Shuttle 
Program developed repair techniques and a crew rescue capability if a repair cannot be accomplished. 
For International Space Station (ISS) missions, this crew rescue capability relied on the ability to 
shelter the crew on the ISS until a rescue mission could be launched; however, no special processing 
for the LON vehicle occurred until the rescue mission was called up. The ISS provides the capability 
for a stranded crew to wait for an extended period of time for a rescue. Since the HST mission was 
incapable of docking to the ISS due to orbital mechanics, the HST mission’s capability to remain on 
Orbit was limited by the Orbiter’s small supply of consumables. For example, an Orbiter typically 
must return to Earth after about 12-14 days. Provisions were necessary to maximize the HST 
mission’s rescue capability, including manifesting additional LiOH, which absorbs C0 2> and planning 
for contingency power downs, which extend the Orbiter’s stay time by minimizing the use of 
consumables for electric power generation. The contingency power downs analyzed were limited to 
those that were already proceduralized, specifically the Group B power down, Modified Group C 
power down, and Group C+ power down. The Group B power down was part of the nominal flight 
plan to conserve power without impacting the HST mission. The Modified Group C power down 
retained nominal entry capability, while providing additional stay time. For the Group C+ power 
down, nominal entry capability was lost and could not be recovered due to powering off the Auxiliary 
Power Unit (APU) and hydraulic heaters. In both the Modified Group C and Group C+ power downs, 
the capability to dispose of the HST Orbiter via a controlled re-entry to a minimal risk area was 
maintained, which protects the public from re-entry debris. More extensive power downs could be 
performed, but these would have additional unknown risks, including potentially exposing the public 
to re-entry debris. 

Two potential options for LON capability were explored: (1) a dual pad option where the LON 
vehicle would be processed and launched from Launch Complex 39-B, which was the alternate launch 
pad for the HST mission and (2) a single pad option where the LON vehicle would be processed and 
launched from Launch Complex 39-A, which is the same launch pad used for the HST mission. Both 
options were considered to preserve launch capability for the Constellation Program’s Ares I-X, which 
was scheduled to launch from Launch Complex 39-B. An example timeline for dual pad and single 
pad options is shown in Figure 1. Risk trades evaluating single pad verses dual pad were preformed 
several times leading up to the launch of STS- 125. The final decision was to use dual pad operations, 
which increased the margin between first LON opportunity and STS- 125 maximum stay time, 
improving overall probability of success and operational flexibility. Single pad operations incurred 
additional risks such as: reduced margins by delaying first launch opportunity of LON until FD14, 
increased the risk from potential STS-125 launch damage to pad, and included Space Shuttle Vehicle 
(SSV) transfer to pad and pad turnaround. 



Figure 1: Planned Timelines (Flight Day 2 Call-Up and 24-Day Stay Time) 
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3. MODEL INPUTS 

The inputs to the Arena model include mission timelines and risks for completing the crew rescue and 
LON actions prior to depleting the HST Orbiter consumables. For dual pad crew rescue, the following 
risks were considered: post-launch ascent, crew transfer, re-enty risks, launch countdown risk, and 
pad operations flow prior to launch countdown (Pre-LCD) risks. The single pad analysis included all 
the dual pad analysis risks plus risks for pad turnaround (T/A) and transferring the rescue SSV from 
the VAB to the launch pad. These inputs will be discussed in detail in the following subsections. 

3.1. Timelines 

There are two timelines of importance. The first timeline is the LON vehicle timeline, which includes 
ground processing time and the time it takes to rendezvous with the HST vehicle and transfer the crew. 
The second timeline is the HST mission timeline, which includes when inspections and power downs 
occur. 

The dual pad LON baseline timeline is seven days launch to launch as shown on Figure 1. This 
includes four days of pad operations flow and three days of launch countdown. Following a 
successful launch and ascent, it takes two days to rendezvous with the HST vehicle and transfer the 
crew, assuming an accelerated crew transfer. Nominal rendezvous and crew transfer takes 
approximately three days six hours. Once the HST vehicle launches, the LON vehicle will proceed 
with pad operations flow activities until they are complete and the vehicle is at Launch minus three 
days (L-3). The LON vehicle was assumed to be held at L-3 in the baseline analysis; however, 
Launch minus four days (L-4) was analyzed as well. Processing the LON vehicle to L-3 requires 
loading cryogenic hydrogen and oxygen for the Orbiter’ s electric power generating fuel cells, which 
exposes the ground personnel and vehicle to Composite Overwrapped Pressure Vessel (COPV) 
rupture. In addition, holding at L-4 would make it easier to reconfigure the LON vehicle into STS- 
127, which was to be launched off of Pad 39A following the HST mission. 


As discussed in the Background section, there are two important mission events that determine 
whether a crew rescue will be needed, the FD2 inspection and the late inspection. 

As the name implies, FD2 inspection occurs on flight day 2 of the HST mission. However, to confuse 
matters, the Mission Elapsed Time (MET) is ~18 hours; therefore, the inspection occurs at launch plus 
18 hours. Both MET and FD timelines will be used in this discussion. If the FD2 inspection detects 
critical TPS damage, there are two possible outcomes: the critical damage is determined to be 

irreparable or the critical damage is determined to be repairable. If the critical damage is considered to 
be irreparable, the LON vehicle will be “called up” on FD2, with the earliest launch of the LON 
vehicle on FD8 (MET 7) as shown on Figure 1. Depending upon whether the Orbiter performs a 
Modified Group C power down or a Group C+ power down at that time, the HST Orbiter can either 
last until FD19 (MET 18) or FD25 (MET 24). If the critical damage is not immediately determined to 
be irreparable, some additional time is needed to consider whether a repair is necessary. If it is 
determined that a repair is necessary, a Modified Group C power down will be performed on FD3 
(MET 2), with the repair being performed on FD 7 (MET 6). During the repair, it is possible for the 
Extravehicular Activity (EVA) crew to decide the repair is unsuccessful; in this case, the LON vehicle 
will be “called up” on FD7 (MET 6) and begin the launch countdown with the earliest possible launch 
on FD 10 (MET 9). If the EVA crew successfully completes the repair, an inspection will be 
performed to determine if the repair is acceptable for re-entry. At that time, either the vehicle will 
remain in a Modified Group C power down or go to a Group C+ power down, which will extend the 
Orbiter mission time to either FD18 (MET 17) or FD20 (MET 19). 

Late inspection occurs on FD9 (MET 8), and there is limited capability to extend the mission at that 
point. If the late inspection detects critical damage, similar to the FD2 inspection, the damage is either 
repairable or not. Fortunately, the majority of critical MMOD damage is repairable, since the damages 
are generally coating loss or small holes. If damage was determined to be irreparable, the LON 
vehicle would have been “called up” on FD10 (MET 9) and either a Modified Group C power down or 
a Group C+ power down would have been performed at that time to maintain the HST Orbiter until 
FD15 (MET 14) or FD18 (MET 17). More severe power downs would be necessary to protect for a 
failed repair; therefore, the analysis assumed there would be no crew rescue capability in the event of a 
failed MMOD repair. However, this assumption did not significantly increase the risk, because the 
majority of the MMOD repair failures are on re-entry, where crew rescue is not an option. 

As described in this section, one can see the rescue scenarios are complicated and there are several 
decision points to consider, which can influence the risk. Therefore, numerous sensitivity calculations 
were performed. 

3.2. Post-Launch Risks 

HST crew rescue post-launch risks include ascent abort, ascent LOCV, crew transfer, and re-entry 
LOCV. The frequency of post-launch risks that were input into the Arena model were simply based 
on historical data. There were 125 flights prior to launch of the HST mission, 124 of those flights are 
applicable to abort and entry calculations since Challenger (STS-51L) was destroyed during ascent 
and did not experience a re-entry. There has been one ascent abort (STS-51F); therefore, the 
probability of an ascent abort is 1:124. There has been one ascent LOCV (STS-51L); therefore, the 
probability of ascent LOCV is 1:125. There has been one entry LOCV (STS-107); however, in order 
to need crew rescue on the HST mission, the HST mission would also be considered and entry LOCV 
would yield a probability of 2 in 124 or 1 :62. 

The 1:100 risk associated with crew transfer was based upon a basic Cognitive Reliability and Error 
Analysis Method (CREAM) [3] calculation as well as engineering judgment and assumed that the risk 
would be dominated by human error. For crew transfer, the plan was to use the rescue Orbiter’ s 
Shuttle Remote Manipulator System (SRMS) to grapple the HST Orbiter; this is shown in Figure 2. 



Figure 2: Crew Transfer Position [4] 
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Approximately three EVAs were required with five Extravehicular Mobility Units (EMUs) available 
(four on the HST vehicle and one on the LON vehicle). The first EVA would have translated down 
the SRMS and set up a secondary translation path (concept is rope-like). This is a translation path that 
is nominally taught for contingencies, and it is much worse than a nominal translation. The remaining 
HST crew will translate the secondary translation path, except the last translation would be taking the 
same path as the first (i.e., down the SRMS.) Except for the first and last translation, the majority of 
the tasks are very basic. Three crewmembers would not be fully EVA trained (Commander (CDR), 
Pilot (PLT), and SRMS crewmembers); however, they would each have some very basic classes and 
EMU exposure. The plan was to carry the non-EVA trained crewmembers. The secondary translation 
path was established because it would be extremely difficult to carry a second person down the SRMS. 

3.3. Launch Countdown Risk 

Launch probabilities used in the crew rescue simulation were derived from the total Space Shuttle 
launch experience. Consideration was not given for the potential that the Mission Management Team 
(MMT) could behave differently during an LON countdown. For example, the question of whether 
the MMT would be willing to take more risks to achieve a timely launch was not addressed. However, 
as shown in Figure 3, some of the historical launch delays were scrubbed out as not applicable to an 
LON missing. For example, a launch delay due to a payload issue was not considered. Overall, the 
probability of a delay or scrub during launch countdown has been fairly stable since 1991. 


Figure 3: Historical Launch Data 
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Delays or Scrubs During Launch Countdown (S0007) 
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Shuttle historical data was also used to estimate the time between launch attempts. The duration of the 
delay/scrub until the next launch attempt is dependent upon the reason for the delay/scrub. For 
example, weather delays/scrubs have a 67% chance of being one day in duration; whereas, flight 
hardware delays/scrubs are more likely to require a greater number of days. Operational prerogative 
and infrastructure delays seem to fall between the weather and flight hardware delays in terms of 
duration; however, the infrequent nature of these delays and the resulting lack of empirical data makes 
the duration of these delays more difficult to predict with accuracy. Except for the SSME on pad 
abort, consideration was not given for the potential that the time required to recover from a launch 
delay/scrub may be reduced during an LON scenario. Figure 4 shows the historical weather delay 
frequencies; similar distributions were developed for other launch countdown delay contributors. 


Figure 4: Weather Delay Duration 



3.4. Pad Flow Risks 

Directly applying historical data for the pre-launch countdown pad delay risk would be overly 
pessimistic for use in the LON scenario. The HST service mission was not planned to be launched 
until after the bulk of the LON Shuttle pad flow was accomplished; therefore, the majority of this risk 
was retired. For this reason, the historical data was manipulated to reflect an assumption that a large 
percentage of the problems have already been encountered and corrected. To reflect the risk of a delay 
in the time period of concern, the KSC Critical Path Assessments and the JSC Mission Operations 
Directorate (MOD) Space Shuttle Mission Summary were reviewed to estimate probability of launch 
postponements that occur in the final days leading up to launch countdown. Data points that would 
not have applied in an LON scenario, such as payload-induced delays, were discounted. 

3.5. Other Risks 

For single pad crew rescue, the risk of a launch delay while transferring the LON vehicle to the pad 
and pad turnaround had to be considered. With the exception of the potential for increased pad 
scrutiny in the case of an ascent debris damage, these risks are not considered for dual pad crew rescue 
since the HST mission wound not have launched without the LON vehicle ready to launch off of Pad 
39B. These risks are summarized briefly in this section. 

The pad transfer delay risk for the single pad crew rescue operation stems from weather restrictions, 
infrastructure (e.g., the CT) problems, and flight hardware concerns. The historical data available for 
review included 91 SSV rollouts (from STS-26 through STS- 115). Thirteen cases in which SSV 
rollout was delayed in a manner that would have been applicable to the LON scenario were identified, 
nine of which were weather related. Of the nine weather delays, eight occurred during hurricane 
season (June through November). Since the final HST launch was outside of hurricane season (May 


2009), a probability of 0.0549 (5 divided by 91) was used to model the likelihood of an SSV rollout 
delay outside hurricane season. 

Launch pad turnaround is assumed to be initiated prior to LON vehicle call-up, immediately following 
the HST launch. KSC advertised an 8-day pad wash and refurbish timeline in the Volume II Schedule 
and Status, Enhancement Analysis KSC Processing, Summary Data (SFOC DRD-1.1.7.c) dated 
December 12, 2002. An 8-day duration was shown as being under review and was based upon 
nominal launch damage. However, in the HST LON analysis, an accelerated schedule of 
approximately four days was assumed based upon the recommendation from KSC. This 
recommended refurbish time is consistent with the fastest pad turnaround in the post-Challenger era. 
STS-51 was launched at 7:45 am on September 12, 1993 from Pad 39B. STS-58 arrived on 
September 17. However, since four days is based upon nominal launch damage, there is also risk of 
greater than nominal launch pad damage. For post-Challenger launches (STS- 107 and STS-96 not 
included), 4 (or 5) launches out of 90 were identified as having greater than nominal launch damage 
(STS-124, STS-108, STS-59, STS-26 and STS-70). In cases where the damage has been greater than 
nominal, the time between launch and next pad usage is known. However, except for the extensive 
flame trench damage repair required after the STS-124 launch, it cannot be concluded the pad 
turnarounds spanned the entire durations. It should be noted that it is difficult to analyze pad 
turnaround risk. In most cases, the time between launch and the next vehicle arrival is greater than 
eight days, because the launch rate does not necessitate such quick times between launch and next 
vehicle arrival. Consequently, the time required to accomplish pad turnaround can expand. 
Additionally, the available historical data does not lend itself to determining when the launch pad was 
available to accept a vehicle. For this reason, the MLP time on the launch pad was used as an analog. 

Consideration was also given to the potential that TPS damage to an Orbiter could prompt increased 
scrutiny during launch pad turnaround. For example, the source of the damage to the TPS could be 
debris on the launch pad being kicked up by the engine start sequence or during the initial moments of 
liftoff. Probabilities for increased scrutiny were based upon engineering judgment. In the case of a 
FD2 “call up,” the probability was assumed to be one and zero in the case of a FD10 call up. Delay to 
pad turnaround is likely to be minimized by the desire to accomplish LON in a timely fashion. 
Consequently, there may be no delay to pad turnaround 50% of the time (estimate). Delays would be 
limited to one day 40% of time (estimate) and two days 10% of the time (estimate). 

4. RESULTS 

The baseline crew rescue success is shown in Figure 5, which assumes the HST Orbiter does not 
power down below a Modified Group C power down to protect re-entry capability. Figure 5, shows 
the probability of crew rescue success significantly increases with the first few days of contingency 
days available and then starts leveling out. For FD 10 “call ups,” there is only a single launch 
opportunity; and the probability of success is 53%. If three additional days were available, which is 
the case if a Group C+ power down is performed, the probability of success increases to 74% as 
shown in Table 1. 



Figure 5: Baseline Dual Pad Crew Rescue Results (No C+ Power down) 
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Figure 5 was developed so that risk trades could be accomplished by simply shifting the “maximum 
stay time” line. In addition, the curves could be shifted to assess the differences in LON launch 
readiness. For example, the baseline assumes L-3, but the curves could be shifted to the right a day to 
assume L-4. For a FD2 “call up,” this does not change the results at all, because the “call up” occurs 
before the LON vehicle reaches L-4. For the FD10 “call up,” the probability of success is zero 
without a Group C+ power down. Therefore, if the Shuttle Program decided to keep the LON vehicle 
at L-4 to hold off on loading cryogenics, the HST vehicle would have to go to a Group C+ power 
down to maintain a rescue capability. These results are summarized in Table 2. 


Table 1: Crew Rescue Comparisons with and without C+ Power down (L-3) 
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Crew Rescue 
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86% 

18 days 
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19 days 

82% 

17 days 
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17 days 
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Table 2: Crew Rescue Comparisons with and without C+ Power down (L-4) 



With C+ Power down 

Without C+ Power down 


Staytime 

Crew Rescue 
Success 

Staytime 

Crew Rescue 
Success 

FD2 

24 days 

86% 

18 days 

82% 

FD4 

19 days 

81% 

17 days 

78% 

FD10 

17 days 

70% 

14 days 

0% 


The loss of crew rescue probability for a FD2 “call up” is shown in Figure 6. This is simply 1 minus 
the probability of success, or 0. 18. This probability is represented by the fraction 1:6 when rounded to 
the nearest whole number. Figure 6 shows that over 50% of the risk is due to launch delays not 
including pad aborts, with pad aborts providing the second biggest risk driver. It also shows that a 
fraction -14% of the risk results in loss of both the HST crew and the rescue crew due to an ascent or 
entry LOCV. 


Figure 6: FD2 Loss of Crew Rescue Probability 
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5. CONCLUSION 

The risk trade space for the HST crew rescue included many variables, including when and to what 
extent power down procedures were to be implemented, to what extent the LON vehicle should be 
processed, and initially whether to provide dual pad capability. Crew rescue success needed to be 
weighed against preserving the ability of the Orbiter to have a landing option in case there was a 
problem with the LON vehicle. In the end, the HST SM4 was successfully completed on May 24 th 
2009 and did not require the rescue mission. Had a rescue mission been required, the baseline plan 
was to remain in the Modified Group C power down to protect the HST Orbiter’ s capability to land in 
the event that a rescue mission could not be completed. Although the analysis showed significant 
improvement going to a Group C+ power down in the case of a FD10 “call up” (53% to 74%), the 
probability of needing a rescue mission, which was not discussed in this paper, was low — such that the 
overall increase in risk was minimal. 
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INTRODUCTION 


Following the Columbia accident (STS-107), Hubble Space Telescope (HST) 
Servicing Mission 4 (SM4) was removed from the Shuttle manifest 

- believed that the risk of flying the HST mission would be too high, because at 
the time, there was no stand-alone repair technique or crew rescue capability. 

NASA revisited the HST SM4 decision in 2006 for several reasons 

- Improvements in the ascent debris environment 

- Ability to perform stand-alone repairs with the Orbiter Boom Sensing System 
(OBSS) 

- Potential to provide a crew rescue capability. 

This presentation focuses on quantifying the HST mission loss of crew 
rescue capability using Shuttle historical data and various power down 
strategies to conserve Orbiter consumables; thus, extending the mission 
lifetime of the Orbiter. 

The results from this effort supported NASA's decision to proceed with the 
HST SM4 a.k.a. STS-125, which was successfully completed on May 24 th 
2009. 


METHODOLOGY 



• The HST SM4 crew rescue risk was calculated utilizing a Discrete Event Simulation (DES) built 
with Rockwell Software's Arena Discrete Event Simulation Software 

- Built off of the Space Shuttle Manifest Assessment Simulation Tool (MAST) which was already used 
by NASA 

- Includes the timeframe from HST Service Mission launch through rescue and re-entry of the LON 
mission. 

- The ground timeline for the LON vehicle, also referred to as STS-400, was provided by NASA Kennedy 
Space Center (KSC) 

- The flight timeline was provided by NASA Johnson Space Center (JSC) Mission Operation Directorate 
(MOD). 

• The underlying premise of this analysis is that past performance, expert opinion, and the 
results from other analyses may be used in conjunction with discrete event simulation 
modeling to help predict future performance i.e., the probability of mission success. 

• Model inputs 

- Historical data regarding the Mobile Launch Platform (MLP), Crawler Transporter (CT), Vehicle 
Assembly Building (VAB), pad, and launch was used to derive delay probabilities and delay 
distributions. 

- Event probabilities for ascent risk, crew transfer risk, and re-entry risk were based upon historical 
data. 

• The model has the option to exclude or include each risk. 

• The results are based upon 5,000 replications, and sensitivities to model assumptions were 
performed 
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BACKGROUND 


Following the Columbia accident, the Shuttle Program initiated on-orbit inspections on Flight 
Day (FD)2 to inspect for critical ascent damage and a later inspection towards the end of the 
mission to inspect for Micrometeoroid and Orbital Debris (MMOD) critical damage. 

- Ascent debris and MMOD constitute a significant portion of the Shuttle risk (~50%) 

- Critical damage is defined as damage to the TPS that will result in Loss of Crew and Vehicle (LOCV) 
during re-entry if action is not taken. 

- The timing of the latter inspection varies mission to mission; and for the HST mission, it was 
scheduled for FD9. 

To mitigate the risk of detected critical damage, the Shuttle Program developed repair 
techniques and a crew rescue capability if a repair cannot be accomplished. 

For the HST mission, crew rescue was significantly different than for ISS missions 

- HST mission's capability to remain on Orbit was limited by the Orbiter's small supply of consumables. 

• An Orbiter typically must return to Earth after about 12-14 days. 

- Provisions were necessary to maximize the HST mission's rescue capability, including manifesting 
additional LiOH, which absorbs C0 2 , and planning for contingency power downs, which extend the 
Orbiter's stay time by minimizing the use of consumables for electric power generation. 

- The contingency power downs analyzed were limited to those that were already proceduralized and 
maintained the capability to dispose of the HST Orbiter via a controlled re-entry to protect the public 
from re-entry debris 

• Group B power down, was part of the nominal flight plan to conserve power without impacting the HST mission 

• Modified Group C power down, retained nominal entry capability, while providing additional stay time 

• Group C+ power down, nominal entry capability was lost and could not be recovered due to powering off the 
Auxiliary Power Unit (APU) and hydraulic heaters. 

• More extensive power downs could be performed, but these would have additional unknown risks, including 

potentially exposing the public to re-entry debris. 4 



BACKGROUND (2) 



• Due to agency desire to preserve launch date for the Ares l-X, which was 
scheduled to launch from Launch Complex 39-B in same timeframe two potential 
options for LON capability were explored 

- A dual pad option where the LON vehicle would be processed and launched from 
Launch Complex 39-B, which was different from the HST mission 

• An example timeline for dual pad and single pad options is shown on the next chart 

- A single pad option where the LON vehicle would be processed and launched from 
Launch Complex 39-A, which is the same launch pad used for the HST mission. 

• Risk trades evaluating single pad verses dual pad were preformed several times 
leading up to the launch of STS-125. 

• The final decision was to use dual pad operations, which increased the margin 
between first LON opportunity and STS-125 maximum stay time, improving overall 
probability of success and operational flexibility. 

- Single pad operations incurred additional risks such as: reduced margins by delaying 
first launch opportunity of LON until FD14, increased the risk from potential STS-125 
launch damage to pad, and included Space Shuttle Vehicle (SSV) transfer to pad and pad 
turnaround. 
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PLANNED TIMELINES (FLIGHT DAY 2 CALL-UP 
AND 24-DAY STAY TIME) 
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MODEL INPUTS 


The inputs to the Arena model include mission timelines and risks for completing 
the crew rescue and LON actions prior to depleting the HST Orbiter consumables. 

- Two important timelines 

• LON vehicle timeline, which includes ground processing time and the time it takes to 
rendezvous with the HST vehicle and transfer the crew. 

• HST mission timeline, which includes when inspections and power downs occur. 

For dual pad crew rescue, the following risks were considered 

- Post-launch ascent 

- Crew transfer 

- Re-entry risks 

- Launch countdown risk 

- Pad operations flow prior to launch countdown (Pre-LCD) risks 



MODEL INPUTS (2) 



• Post-launch ascent based upon Shuttle history 

- One ascent abort (STS-51F); therefore, the probability of an ascent abort is 1:124 

- One ascent LOCV (STS-51L); therefore, the probability of ascent LOCV is 1:125 

• Re-entry risks based upon Shuttle history 

- There has been one entry LOCV (STS-107 ); however, in order to need crew rescue on 
the HST mission, the HST mission would also be considered and entry LOCV would yield 
a probability of 2 in 124 or 1:62. 

• Risk associated with crew transfer was based upon the basic Cognitive Reliability 
and Error Analysis Method (CREAM) and engineering judgment 

- Calculated to be 1:100 

- For crew transfer, the plan was to use the rescue Orbiter's Shuttle Remote Manipulator 
System (SRMS) to grapple the HST Orbiter; this is shown in Figure below 


STS-400 Hold Position 



Earth 
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MODEL INPUTS (3) 


Launch countdown risk derived from the total Space Shuttle launch experience 


- Summary of the launch data is shown chart 10, Overall, the probability of a delay or 
scrub during launch countdown has been fairly stable since 1991. 


- Consideration was not given for the potential that the Mission Management Team 
(MMT) could behave differently during an LON countdown. 

• However, some of the historical launch delays were scrubbed out as not applicable to an LON 
missing. For example, a launch delay due to a payload issue was not considered. 

- Shuttle historical data was also used to estimate the time between launch attempts. 

• The duration of the delay/scrub until the next launch attempt is dependent upon the reason for 
the delay/scrub, Chart 11 shows the historical weather delay frequencies; similar distributions 
were developed for other launch countdown delay contributors. 

• Weather delays/scrubs have a 67% chance of being one day in duration; whereas, flight 
hardware delays/scrubs are more likely to require a greater number of days. 

• Operational prerogative and infrastructure delays seem to fall between the weather and flight 
hardware delays in terms of duration; however, the infrequent nature of these delays and the 
resulting lack of empirical data makes the duration of these delays more difficult to predict with 
accuracy. 

• Except for the SSME on pad abort, consideration was not given for the potential that the time 
required to recover from a launch delay/scrub may be reduced during an LON scenario. 


• Pre-launch countdown pad delay risk was derived from Shuttle history but 

discounted to reflect an assumption that a large percentage of the problems have 
already been encountered and corrected 
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HISTORICAL LAUNCH DATA 


Historical Launch Outcome Percentages 


MAST Sim Info 


Delays or Scrubs During Launch Countdown (S0007) 


Launch Data Through 
STS-124 2008_10_15.xls 

Launch Occurs 

Weather 

Flight Hardware 
(Less Engine Abort) 
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Operational 
Prerogative 

Main Engine 
Abort 

Total 

From Start of Countdown 
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2.23% 
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After scrubbing historical data set for applicability to LON Scenario 




Delays or Scrubs During Launch Countdown (S0007) 
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WEATHER DELAY DURATION 



Turnaround Time for Weather Delays/Scrubs 
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Arena Representation: 
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Probability Successful Crew Rescue 



1.00 

0.90 


BASELINE DUAL PAD CREW RESCUE RESULTS 
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HST Flight Days 

• The baseline risk is shown above and assumes the HST Orbiter does not power down below a Modified Group 
C power down to protect re-entry capability 

• Figure shows the probability of crew rescue success significantly increases with the first few days of 
contingency days available and then starts leveling out 

• For FD 10 "call ups " there is only a single launch opportunity; and the probability of success is 53% 

• If three additional days were available, which is the case if a Group C+ power down is performed, the 
probability of success increases to 74% as shown in the table on the next chart 
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CREW RESCUE COMPARISONS 


CREW RESCUE COMPARISONS WITH AND WITHOUT C+ POWER DOWN (L-3) 



With C+ Power down 

Without C+ Power down 


Staytime 

Crew Rescue 
Success 

Staytime 

Crew Rescue 
Success 

FD2 

24 days 

86% 

1 8 days 

82% 

FD4 

1 9 days 

82% 

17 days 

80% 

FD10 

1 7 days 

74% 

14 days 

53% 


CREW RESCUE COMPARISONS WITH AND WITHOUT C+ POWER DOWN (L-4) 



With C+ Power down 

Without C+ Power down 


Staytime 

Crew Rescue 
Success 

Staytime 

Crew Rescue 
Success 
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18 days 
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FD4 
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Crew rescue success changes with varying levels of launch 
readiness and varying levels of powerdowns 
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Ascent LOCV- 1:119 
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Figure to the left is used to show the 
overall probability of loss of crew rescue 
broken down by risk 

This is simply 1 minus the probability of 
success, or 0.18 represented by the 
fraction 1:6 when rounded to the 
nearest whole number 

Shows that over 50% of the risk is due 
to launch delays not including pad 
aborts, with pad aborts providing the 
second biggest risk driver. 

Shows that a fraction of the risk (~14%) 
results in loss of both the HST crew and 
the rescue crew due to an ascent or 
entry LOCV. 
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CONCLUSION 



• The risk trade space for the HST crew rescue included many variables 

- When and to what extent power down procedures were to be implemented 

- To what extent the LON vehicle should be processed 

- Whether to provide dual pad capability 

• Crew rescue success needed to be weighed against preserving the ability of the 
Orbiter to have a landing option in case there was a problem with the LON vehicle. 

• HST SM4 was successfully completed on May 24 th 2009 and did not require the 
rescue mission. 
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